When invoked by a
new expression for a given type, the default global non-placement forms of
operator new attempt to allocate sufficient storage for an object of the type and, if successful, return a pointer with alignment suitable for any object with a fundamental alignment requirement. However, the default placement
new operator simply returns the given pointer back to the caller without guaranteeing that there is sufficient space in which to construct the object or ensuring that the pointer meets the proper alignment requirements. The C++ Standard, [expr.new], paragraph 16 [ISO/IEC 14882-2014], nonnormatively states the following:
[Note: when the allocation function returns a value other than null, it must be a pointer to a block of storage in which space for the object has been reserved. The block of storage is assumed to be appropriately aligned and of the requested size. The address of the created object will not necessarily be the same as that of the block if the object is an array. —end note]
(This note is a reminder of the general requirements specified by the C++ Standard, [basic.stc.dynamic.allocation], paragraph 1, which apply to placement
new operators by virtue of [basic.stc.dynamic], paragraph 3.)
In addition, the standard provides the following example later in the same section:
new(2, f) Tresults in a call
of operator new(sizeof(T) * 5 + y, 2, f).
yare non-negative unspecified values representing array allocation overhead; the result of the new-expression will be offset by this amount from the value returned by
operator new. This overhead may be applied in all array new-expressions, including those referencing the library function
operator new(std::size_t, void*)and other placement allocation functions. The amount of overhead may vary from one invocation of new to another.
Do not pass a pointer that is not suitably aligned for the object being constructed to placement
new. Doing so results in an object being constructed at a misaligned location, which results in undefined behavior. Do not pass a pointer that has insufficient storage capacity for the object being constructed, including the overhead required for arrays. Doing so may result in initialization of memory outside of the bounds of the object being constructed, which results in undefined behavior.
Finally, do not use placement
new on any platform that does not specify a limit for the overhead it requires.
Noncompliant Code Example
In this noncompliant code example, a pointer to a
short is passed to placement
new, which is attempting to initialize a
long. On architectures where
sizeof(short) < sizeof(long), this results in undefined behavior. This example, and subsequent ones, all assume the pointer returned by placement
new will not be used after the lifetime of its underlying storage has ended. For instance, the pointer will not be stored in a
static global variable and dereferenced after the call to
f() has ended. This assumption is in conformance with MEM50-CPP. Do not access freed memory.
Noncompliant Code Example
This noncompliant code example ensures that the
long is constructed into a buffer of sufficient size. However, it does not ensure that the alignment requirements are met for the pointer passed into placement
new. To make this example clearer, an additional local variable
c has also been declared.
Compliant Solution (
In this compliant solution, the
alignas declaration specifier is used to ensure the buffer is appropriately aligned for a
Compliant Solution (
This compliant solution ensures that the
long is constructed into a buffer of sufficient size and with suitable alignment.
Noncompliant Code Example (Failure to Account for Array Overhead)
This noncompliant code example attempts to allocate sufficient storage of the appropriate alignment for the array of objects of
S. However, it fails to account for the overhead an implementation may add to the amount of storage for array objects. The overhead (commonly referred to as a cookie) is necessary to store the number of elements in the array so that the array delete expression or the exception unwinding mechanism can invoke the type's destructor on each successfully constructed element of the array. While some implementations are able to avoid allocating space for the cookie in some situations, assuming they do in all cases is unsafe.
Compliant Solution (Clang/GCC)
The amount of overhead required by array new expressions is unspecified but ideally would be documented by quality implementations. The following compliant solution is specifically for the Clang and GNU GCC compilers, which guarantee that the overhead for dynamic array allocations is a single value of type
size_t. (Note that this value is often treated as a "-1th" element in the array, so the actual space used may be larger.) To verify that the assumption is, in fact, safe, the compliant solution also overloads the placement
new operator to accept the buffer size as a third argument and verifies that it is not smaller than the total amount of storage required.
Porting this compliant solution to other implementations requires adding similar conditional definitions of the overhead constant, depending on the constraints of the platform.
|Axivion Bauhaus Suite|
C++3119, C++3128, DF3520, DF3521, DF3522, DF3523
|LDRA tool suite|
Do not pass a pointer that has insufficient storage capacity or that is not suitably aligned for the object being constructed to placement 'new'
|Polyspace Bug Finder|
|CERT C++: MEM54-CPP||Checks for placement new used with insufficient storage or misaligned pointers (rule fully covered)|
Search for CERT website.resulting from the violation of this rule on the
|[ISO/IEC 14882-2014]||Subclause 3.7.4, "Dynamic Storage Duration"|
Subclause 5.3.4, "New"